Tavis Ormandy <taviso@xxxxxxxxxx> writes:
> On Thu, Aug 22, 2013 at 1:35 PM, Jilles Tjoelker <jilles@xxxxxxxx> wrote:
>> I think there is no reason to deviate from other shells here. Therefore,
>> please call it "privileged".
>>
>
> Agreed.
>
>>> In bash and FBSD, after starting with -p, set +p can be used to drop
>>> privileges. With your patch, dash accepts set +p, but silently ignores it.
>>
>>> How does something like the attached, to be applied on top of your
>>> patch, look?
>>
>>> [snip]
>>> + if (!on && (uid != geteuid() || gid != getegid())) {
>>> + setuid(uid);
>>> + setgid(gid);
>>> + /* PS1 might need to be changed accordingly. */
>>> + choose_ps1();
>>> + }
>>> +}
>>
>> This code tries to use setuid() and setgid() to drop all privilege,
>> which is only correct if the privilege to be dropped is UID 0, or on BSD
>> systems. It would be better to use setresuid() or setreuid(), and change
>> the GID before changing the UID.
>
> This is logic duplicated from pdksh and bash, I'm slightly reluctant
> to do things differently, unless it's not going to get committed
> otherwise.
pdksh is only maintained by OpenBSD, afaik (mksh syncs regularly).
The current code rather looks like this:
if (f == FPRIVILEGED && oldval && !newval) {
gid_t gid = getgid();
setresgid(gid, gid, gid);
setgroups(1, &gid);
setresuid(ksheuid, ksheuid, ksheuid);
} ...
> You can see some code snippets here:
> http://blog.cmpxchg8b.com/2013/08/security-debianisms.html
>
>> Apart from that, it is better to check the return value from setuid()
>> and similar functions. In particular, some versions of Linux may fail
>> setuid() for [EAGAIN], leaving the process running with the same
>> privileges.
>
> I don't think this is true anymore, but I have no strong objection to
> adding it, so long as it's noted that bash and pdksh do not do this.
>
> Tavis.
--
jca | PGP: 0x06A11494 / 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
--
To unsubscribe from this list: send the line "unsubscribe dash" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] implement privmode support in dash
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: [PATCH] implement privmode support in dash
- From: jca+dash@xxxxxxxxxx (Jérémie Courrèges-Anglas)
- Date: Fri, 23 Aug 2013 13:13:07 +0200
- Cc: Jilles Tjoelker <jilles@xxxxxxxx>, Harald van Dijk <harald@xxxxxxxxxxx>, dash@xxxxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx
- In-reply-to: <CAJ_zFkJEb02d8Xs=RcWnRT7JbgDUYiAwMUUc3WFAfXr1ZN-0DQ@mail.gmail.com> (Tavis Ormandy's message of "Thu, 22 Aug 2013 13:42:32 -0700")
- User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix)
- References:
- [PATCH] implement privmode support in dash
- From: Tavis Ormandy
- Re: [PATCH] implement privmode support in dash
- From: Harald van Dijk
- Re: [PATCH] implement privmode support in dash
- From: Jilles Tjoelker
- Re: [PATCH] implement privmode support in dash
- From: Tavis Ormandy
- [PATCH] implement privmode support in dash
- Prev by Date: Re: OPTIND
- Next by Date: Re: [PATCH] implement privmode support in dash
- Previous by thread: Re: [PATCH] implement privmode support in dash
- Next by thread: Re: [PATCH] implement privmode support in dash
- Index(es):
 |